lusrmgr.msg.

to grant “Local Machine” Administrator permissions to a Windows Domain User through lusrmgr.msc:

Remotely login to the User’s Workstation as a “Domain Admin” (or physically sit in front of the User's Windows PC).

Win+R –> “lusrmgr.msc”.

From the Local Users and Groups Snap-in, Browse to Groups, Double Click on the “Administrators”-Group, locate your Domain User Account & grant him/her membership to the “Administrators”-Group.

Repeat 1..3 for each desired Windows Computer.

Restricted Groups.

lusrmgr.msc may work for your "home" domain or lab.

For that funny bunch of your colleagues, you may wish to use a more convenient way to perform the task of granting them “Local Machine” Administrator permissions.

The Restricted Groups-feature provides you more automation than the "lusrmgr.msc"-method (especially in regards to Step 4).

The Restricted Groups does just that - it "restricts" local groups membership to the (domain) Groups of your choice.

There are 2 ways to use Restricted Groups.

The first way simply adds New Users along the pre-existing Local Administrators Users (within the (Local) "Administrators"-Group).

The second way resets (ie. deletes/wipes) ALL the pre-existing Local Administrators Users off the (Local) "Administrators"-Group.

Restricted Groups / Secure Restricted Groups requirements.

Active Directory Domain (SBS or Windows Server 2000+ based).

Your "Domain User(s)" have to be members of a "Domain Group" (alas not so common on some SBS environments...).
On my example, I will assume your Domain User Jack Daniels is a member of the Group "G_HeadOfficeWorkstationAdmins".

Since the Restricted Groups feature is provided by Group Policy, you should also have an OU with some Computers (unless you want to edit the "Default Domain Policy", which, of course you "can do"!).

Restricted Groups on your workstations - in 10 easy steps.

Today I will show you Restricted Groups because it is automated, non-destructive and less confusing to implement.

On my next article, I'll show you how to implement Secure Restricted Groups (which is pretty similar BTW).

With Restricted Groups you will automatically add New Users to the (Local) "Administrators"-Group of each Windows PC member of your Domain.

That way, pre-existing Users (ie. already Members of the (Local) Administrators Group), won't be affected at all (which, depending on how you see it, it may represent an advantage OR a disadvantage).

On the Right pane of “Restricted Groups”, Right click and Select "Add Group...".

To provide Local Admin Permissions to a Pre-existing Group (ie. say "G_HeadOfficeWorkstationAdmins"), Click on the "Browse..."-Button, locate G_HeadOfficeWorkstationAdmins (the group you wish to attach Local Admin Creds to) and Click Ok to confirm.

A new "Group Name Properties"-window will popup.
On the new properties window skip/ignore the first text box area (ie. the one that says “Members of this group”...).

Focus your attention to the second text box area, where it says "This group is a member of:"(on the lower half).

From http://support.microsoft.com/kb/279301 :"The "Member Of" list specifies which other groups the restricted group should belong to".

Click on the "Add"-Button and Type (or copy-paste) "BuiltIn\Administrators" in the Group Membership dialog then Click OK to Confirm.